On 04.12.2016 09:22, Arne Nordmark wrote:
> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
> also suffers from this problem.
>
> Can it be so that the important part missing is the loop traversing the
> class loaders in validateGlobalResourceAccess():
>
> while (cl != null) {
> ...
> cl = cl.getParent();
> }Hello, I have prepared the update for Wheezy. Since you confirmed that using the ResourceLinkFactory class from 7.x trunk works for you, we have replaced the current version with this one. At the moment I fail to understand what we are missing because upstream's fix for CVE-2016-6797 is relatively straightforward [1] and we have already taken your bug report into account. Could you elaborate in which file the code from above is missing? Thanks, Markus [1] https://svn.apache.org/viewvc?view=revision&revision=1757275
signature.asc
Description: OpenPGP digital signature
